Skip to main content
SpringerLink
Log in

Systematically Breaking Online WYSIWYG Editors

  • Conference paper
  • First Online:
Information Security Applications (WISA 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8909))

Included in the following conference series:

  • 1424 Accesses

Abstract

Cross-Site Scripting (XSS) — around fourteen years old vulnerability is still on the rise and a continuous threat to the web applications. Only last year, 150505 defacements (this is a least, an XSS can do) have been reported and archived in Zone-H (a cybercrime archive) (http://www.zone-h.org/). The online WYSIWYG (What You See Is What You Get) or rich-text editors are now a days an essential component of the web applications. They allow users of web applications to edit and enter HTML rich text (i.e., formatted text, images, links and videos etc.) inside the web browser window. The web applications use WYSIWYG editors as a part of comment functionality, private messaging among users of applications, blogs, notes, forums post, spellcheck as-you-type, ticketing feature, and other online services. The XSS in WYSIWYG editors is considered more dangerous and exploitable because the user-supplied rich-text contents (may be dangerous) are viewable by other users of web applications.

In this paper, we present a security analysis of twenty (20) popular WYSIWYG editors powering thousands of web sites. The analysis includes WYSIWYG editors like Enterprise TinyMCE, EditLive, Lithium, Jive, TinyMCE, PHP HTML Editor, markItUp! universal markup jQuery editor, FreeTextBox (popular ASP.NET editor), Froala Editor, elRTE, and CKEditor. At the same time, we also analyze rich-text editors available on very popular sites like Twitter, Yahoo Mail, Amazon, GitHub and Magento and many more. In order to analyze online WYSIWYG editors, this paper also present a systematic and WYSIWYG editors’s specific XSS attack methodology. We apply the XSS attack methodology on online WYSIWYG editors and found XSS is all of them. We show XSS bypasses for old and modern browsers. We have responsibly reported our findings to the respective developers of editors and our suggestions have been added. In the end, we also point out some recommendations for the developers of web applications and WYSIWYG editors.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    https://translate.twitter.com.

  2. 2.

    https://twitter.com/.

  3. 3.

    https://translate.twitter.com.

  4. 4.

    http://www.tinymce.com/develop/bugtracker_view.php?id=6855|6851|6858.

  5. 5.

    https://github.com/froala/wysiwyg-editor/issues/33.

  6. 6.

    http://www.scribd.com/doc/226925089/Stylish-XSS-in-Magento-When-Style-helps-you.

References

  1. Google Vulnerability Reward Program Report for year 2013.: https://www.youtube.com/watch?v=oAYjZy1Nuyg

  2. Google Trends.: http://www.google.com/trends/explore#q=XSS%2C%20SQL%20Injection&date=today%2012-m&cmpt=q

  3. TweetDeck ShutDown.: https://twitter.com/TweetDeck/status/476770732987252736

  4. CKEditor.: http://ckeditor.com/about/who-is-using-ckeditor

  5. Jive.: http://www.jivesoftware.com/why-jive/customers/#view=list

  6. TinyMCE.: http://www.tinymce.com/enterprise/using.php

  7. TinyMCE Tracker.: http://www.tinymce.com/develop/bugtracker.php

  8. Lithium.: http://www.lithium.com/why-lithium/customer-success/

  9. Froala.: https://github.com/stefanneculai/froala-wysiwyg/issues/33#issuecomment-41170451

  10. Froala Editor.: http://editor.froala.com/

  11. Edit Live.: http://ephox.com/customers

  12. Markdown.: http://daringfireball.net/projects/markdown/

  13. From “I wonder...” to Exploitable Worm in 96 Minutes.: https://storify.com/pacohope/from-i-wonder-to-exploitable-worm

  14. Content Security Policy 1.1.: http://www.w3.org/TR/CSP11/

  15. Heiderich, M., Frosch, T., Jensen, M., Thorsten, H.: Security risks of scalable vectors graphics. In: CCS, Crouching Tiger - Hidden Payload (2011)

    Google Scholar 

  16. Heiderich, M., Schwenk, J., Frosch, T., Magazinius, J., Yang, E.Z.: mXSS attacks: attacking well-secured web-applications by using innerHTML mutations.. In: CCS (2013)

    Google Scholar 

  17. About Dynamic Properties.: http://msdn.microsoft.com/en-us/library/ie/ms537634(v=vs.85).aspx

  18. Play safely in sandboxed IFrames.: http://www.html5rocks.com/en/tutorials/security/sandboxed-iframes/

Download references

Author information

Authors and Affiliations

  1. Chair for Network and Data Security Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Bochum, Germany

    Ashar Javed & Jörg Schwenk

Authors
  1. Ashar Javed
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jörg Schwenk
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Ashar Javed .

Editor information

Editors and Affiliations

  1. Pukyong National University, Busan, Korea, Republic of (South Korea)

    Kyung-Hyune Rhee

  2. School of Computer Science and Engineering, Soongsil University, Seoul, Korea, Republic of (South Korea)

    Jeong Hyun Yi

A List of WYSIWYG Editors

A List of WYSIWYG Editors

  1. 1.

    Mercury Editor: The Rails HTML5 WYSIWYG editor (http://jejacks0n.github.com/mercury)

  2. 2.

    bootstrap-wysihtml5: Simple, beautiful wysiwyg editor (https://github.com/jhollingworth/bootstrap-wysihtml5)

  3. 3.

    KindEditor (http://kindeditor.org/)

  4. 4.

    PHP HTML Editor (http://phphtmleditor.com/demo/)

  5. 5.

    elRTE — an open-source WYSIWYG HTML-editor (http://elrte.org/)

  6. 6.

    medium-editor (https://github.com/daviferreira/medium-editor)

  7. 7.

    TinyMCE (http://www.tinymce.com/)

  8. 8.

    Lithium (http://www.lithium.com/)

  9. 9.

    Jive (http://www.jivesoftware.com/)

  10. 10.

    Froala (http://editor.froala.com/)

  11. 11.

    CKEditor (http://ckeditor.com/)

  12. 12.

    EditLive (http://ephox.com/editlive)

  13. 13.

    jquery.qeditor (https://github.com/huacnlee/jquery.qeditor)

  14. 14.

    mooeditable (http://cheeaun.github.io/mooeditable/)

  15. 15.

    HTML5 WYSIWYG Editor (https://github.com/bordeux/HTML-5-WYSI WYG-Editor)

  16. 16.

    markItUp! universal markup jQuery editor (http://markitup.jaysalvat.com/home/)

  17. 17.

    FreeTextBox HTML Editor (http://www.freetextbox.com/)

  18. 18.

    Markdown (http://daringfireball.net/projects/markdown/)

  19. 19.

    CLEditor (http://premiumsoftware.net/CLEditor/SimpleDemo)

  20. 20.

    Bootstrap Wysihtml5 with Custom Image Insert (https://github.com/rcode5/image-wysiwyg-sample)

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Javed, A., Schwenk, J. (2015). Systematically Breaking Online WYSIWYG Editors. In: Rhee, KH., Yi, J. (eds) Information Security Applications. WISA 2014. Lecture Notes in Computer Science(), vol 8909. Springer, Cham. https://doi.org/10.1007/978-3-319-15087-1_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-15087-1_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-15086-4

  • Online ISBN: 978-3-319-15087-1

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation